4 www.hakin9.org/en www.hakin9.

org/en 5
ID Thefts
4
team
Editor in Chief: Ewa Dudzic
ewa.dudzic@software.com.pl
Managing Editor: Karolina Lesiska
karolina.lesinska@hakin9.org
Editorial Advisory Board: Matt Jonkman, Rebecca Wynn,
Steve Lape, Shyaam Sundhar, Donald Iverson, Michael Munt
DTP: Ireneusz Pogroszewski
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@software.com.pl
Proofreaders: Michael Munt
Top Betatesters: Rebecca Wynn, Bob Folden, Shayne Cardwell,
Simon Carollo, Graham Hili.
Special Thanks to the Beta testers and Proofreaders who helped
us with this issue. Without their assistance there would not be a
Hakin9 magazine.
Senior Consultant/Publisher: Pawe Marciniak
CEO: Ewa Dudzic
ewa.dudzic@software.com.pl
Production Director: Andrzej Kuca
andrzej.kuca@hakin9.org
Marketing Director: Karolina Lesiska
karolina.lesinska@hakin9.org
Subscription: en@hakin9.org
Publisher: Software Press Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.hakin9.org/en
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
To create graphs and diagrams we used program
by

The editors use automatic system
Mathematical formulas created by Design Science MathType
DISCLAIMER!
The techniques described in our articles may only
be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss.
Dear Readers,
Hope you did like the first extra issue of Hakin9 devoted to the topic
of exploiting software. Now, we are focusing on a very alarming
phenomena nowadays ID thefts. In the era of the Internet, we do
most things via Internet shopping, organizing trips, signing up for
courses etc. And the so popular social networks are definitely not
helping as well...
As you will read in one of the articles: Information is being collected
about us every second of every day without us ever realizing what
happens to it. Most of us dont really care what happens to our
personal data as long as it isnt misused. So lets go up close and
personal by taking a brief glance at how you can proteprct your
personal data...
I hope you will find here lots of useful information that will help in
keeping your personal data safe.
enjoy!
Karolina Lesiska
PRACTICAL PROTECTION IT SECURITY MAGAZINE
06 News Stories
by Julian Evans and ID Theft Protect
10 Identity Theft/Fraud Self Protection Toolkit
by Rebecca Wynn
Your identity is a valuable commodity. You need it to function in
everyday life. You need evidence of who you are to open bank
accounts, obtain credit cards, finance, loans and mortgages,
to obtain goods or services, or to claim benefits. But you
may not be the only person using your own personal details,
and your identity can be stolen and used by fraudsters who
can impersonate you and take out various forms of credit or
services, using your name. Your personal data, especially
your Social Security number, your bank account or credit card
number, your telephone calling card number, and other valuable
identifying data can be used, if they fall into the wrong hands,
to personally profit at your expense.
18 Proactively Defending Against Identity Theft
by Gary S. Miliefsky
ID theft is a crime that takes place when someone wrongfully
obtains and uses another persons personal data in some way
that involves fraud or deception for financial gain. You might
be able to protect your fingerprints for some time, as they are
unique to you and cannot be given to someone else for their use
but your personal information associated with your identity also
includes our social security number or government id, drivers
license, bank accounts, credit card numbers, cellular and land
line telephone numbers, e-mail address, web site and other
personal markers can and will be stolen and in many cases
over the internet.
4 www.hakin9.org/en www.hakin9.org/en 55
CONTENTS
22 Identity Proof Your Personal Data
by Julian Evans
Information is being collected about us every second of every day without us
ever realizing what happens to it. Most of us dont really care what happens to
our personal data as long as it isnt misused. So lets go up close and personal
by taking a brief glance at how you can protect your personal data if you are
a UK citizen. Worth remembering, your data held in the UK is also shared with
other countries, mainly the English speaking world i.e. Canada, New Zealand,
USA, South Africa and Australia to name a few. The credit reporting agencies
share this data with these countries and in particular when people migrate to
these countries. Every country has its own data protection laws but for the
benefit of this article we will concentrate on the UK.
26 Ask The Social-Engineer: How do Identity Thieves
Use Social Engineering Skills?
by Christopher Hadnagy
This is a good question. There are quite a few ways that social engineering
is used by malicious identity thieves, let me name just a few methods that
are used and then you will see how they do their deeds.
28 Phishing
by Harshad Mehta
As the world of cyber space evolved, so did the various beleaguered
complications. Nothing it seems comes without a loophole. The reach of
internet in banking and shopping domain has increased exponentially in
the past decade and so has the innocuous attempts at gaining perfidious
and pervert secret access to the various interacting channels of information
and data. Of all the internet based attacks targeted at networks, phising
has evolved at a major threat to clients and companies alike. The biggest
victims have been the banking sector, the online shopping and auction
sites coming a close second.
36 Design Flaws in IP Surveillance Cameras
Exploiting Web Interfaces
by Aditya K Sood and Bipin Gajbhiye
IP surveillance cameras are used extensively for monitoring of live targets.
However, inherent design of web interface of IP surveillance cameras
suffers from various flaws. This paper sheds light on the vulnerabilities
that exist in the design and deployment of web application interface of IP
surveillance cameras. This paper is an outcome of the extensive testing of
the deployed IP surveillance cameras in the live environment as a part of
the open research.
42 Nessus Basics
by Mohsen Mostafa Jokar
The Nessus Project was started by Renaud Deraison in 1998 , Nessus
was not the first free open-source vulnerability scanner but it is the most
ubiquitous open source scanner. On October 5, 2005, Tenable Network
Security changed Nessus 3 to a proprietary license. Organizations could
now pay for reliable assistance or a fully supported appliance to operate
their Nessus scanner. Nessus is a robust vulnerability scanner that is well
suited for large enterprise networks.
www.hakin9.org/en 6
ID THEFTS
www.hakin9.org/en 7
News stories on ID thefts
News stories
on ID thefts
Popular Generic Identity Fraud instances
Bin ID theft (or dumpster diving)
Fraudsters will sift through bins which are on public
property. Currently if the bin/waste is on a street (not
on public property) it isnt illegal to sift through the bin.
Fraudsters also visits tip/recycling sites for personal
information. This is a very efficient way of finding
personal information i.e. financial statements, name,
address, and date of birth. Criminal gangs pay children
to sift through bins. Once the fraudster has enough
information they will apply for a loan, credit card, mobile
phone contract or open a bank account.
Card Not Present (CNP)
Purchasing goods/services online without the need
for a chip and pin code. This is linked to Card Fraud
Abroad whereby fraudsters can use a debit or credit
card without a chip and pin. Its the fastest growing
fraud right now.
Advanced Fee Fraud
Known as the 419 scam is a fraudulent scheme to
extract money from you. Very well known and still
snares victims mainly desperate people i.e. people in
debt, looking for work etc.
Altered Card Fraud / ATM Skimming
A genuine payment cards magnetic stripe is removed
and replaced with fraudulently obtained card information.
This is linked to card cloning where a credit/debit card
is cloned along with CVV and magnetic stripe. ATM
machines http://bit.ly/hSruyd are targets at railways
stations, shopping malls and at non-banking sites. Chip
and pin machines are also security flawed as are the
radio/wireless hand receivers.
Current Address fraud (linked to Application
fraud)
This is where the victim lives at the current address
given on the fraudulent application. Apartments/flats
have mailboxes in the hallway which are very common
in US and easy to access. More and more apartments/
flats being built in UK and US very high identity and
financial fraud risk.
Card Fraud Abroad
This is where cloned cards are used to purchase goods
and services in countries where they do not use the
Chip & Pin system. This is one of the fastest rising fraud
types in the world.
Application fraud (linked to Current Address
fraud and CNP fraud)
Stolen or false documents (like your utility bills and
bank statements) are used to open an account in
your name. Alternatively, the fraudster may use
counterfeit documentation for identification purposes.
The fraudster will use your card (quoting the number,
found on your bill) over the Internet, by telephone,
fax and mail order. This is called Card-not-present
(CNP). The problem in countering this type of fraud
lies in the fact that neither the card nor the cardholder
is present at a till point so its difficult to catch the
perpetrator.
Account identity take-over fraud
A fraudster obtains your key personal information, and is
able to take over the running of your financial account(s).
The fraudster will pretend to be you, or a member of your
family, and try to deceive your bank or card company to
arrange for payments to be taken from the account. The
fraudster may also instruct the bank to change various
details of the account, such as the address, and then ask
for new cards and cheque books to be issued.
Mail non-receipt card fraud
Your card is stolen in-transit, when it has been sent
out to you from your bank or building society. The
fraudster will pretend to be you, or a member of your
family, and try to deceive your bank or card company
to arrange for payments to be taken from the account.
The fraudster may also instruct the bank to change
various details of the account, such as the address,
and then ask for new cards and chequebooks to be
issued. At particular risk for this type of fraud are
properties with communal letterboxes, like flats and
student residence halls.
Reference: http://julianevansblog.com
Reference: http://id-theftprotect.com
www.hakin9.org/en 10
ID THEFTS
www.hakin9.org/en 11
Identity Theft/Fraud Self Protection Toolkit
Y
our identity is a valuable commodity. You need it
to function in everyday life. You need evidence
of who you are to open bank accounts, obtain
credit cards, finance, loans and mortgages, to obtain
goods or services, or to claim benefits.
But you may not be the only person using your own
personal details, and your identity can be stolen and
used by fraudsters who can impersonate you and take
out various forms of credit or services, using your name.
Your personal data, especially your Social Security
number, your bank account or credit card number,
your telephone calling card number, and other valuable
identifying data can be used, if they fall into the wrong
hands, to personally profit at your expense. (Source:
United States Department of Justice)
All the fraudster needs is a few of your details. A
document bearing your name and/or your address
makes it even easier for them to start defrauding you.
Identity fraud (or identity theft) is the fastest growing
type of fraud not only the United States and Canada but
also the United Kingdom and other European countries.
It can take one of two forms.
Identity Theft (also known as impersonation fraud) is
the misappropriation of the identity (such as the name,
date of birth, current address or previous addresses)
of another person, without his or her knowledge or
consent. These identity details are then used to obtain
goods and services in that persons name.
Identity Fraud is the use of a misappropriated
identity in criminal activity, to obtain goods or
services by deception. This usually involves the use
of stolen or forged identity documents such as a
passport or drivers license. (Source: CIFAS, the UK
Fraud Prevention Service).
The UK Home Office Identity Fraud Steering
Committee has provided its definitions for these terms.
Identity Theft occurs when sufficient information
about an identity is obtained to facilitate identity
fraud, irrespective of whether, in the case of an
individual, the victim is alive or dead.
Identity Fraud occurs when a false identity or
someone elses identity details are used to
support unlawful activity, or when someone avoids
obligation/liability by falsely claiming that he/she
was the victim of identity fraud. Examples include:
using a false identity or someone elses identity
details (name, address, date of birth etc) for
commercial or monetary gain, to obtain goods or
access to facilities or services e.g. opening a bank
account, applying for a loan or credit card. (Source:
UK Identity Theft Organization)
Who can become a victim?
Anyone can be a victim of identity theft from the
newborn to those who have deceased. It doesnt matter
But he that filches from me my good name, Robs me of that which
not enriches him, And makes me poor indeed. Shakespeare, Othello,
Act 3, Scene 3
What you will learn
How thieves get your information
How thieves use your information
How to protect your information
What you should know
Your identity is a valuable commodity
Identity Theft/Fraud
Self Protection Toolkit
www.hakin9.org/en 18
ID THEFTS
www.hakin9.org/en 19
Proactively Defending Against Identity Theft
W
hat is Identity Theft? It is a crime that takes
place when someone wrongfully obtains and
uses another persons personal data in some
way that involves fraud or deception for financial gain.
You might be able to protect your fingerprints for
some time, as they are unique to you and cannot be
given to someone else for their use but your personal
information associated with your identity also includes
our social security number or government id, drivers
license, bank accounts, credit card numbers, cellular
and land line telephone numbers, e-mail address, web
site and other personal markers can and will be stolen
and in many cases over the internet.
The US Government estimates that as many as 9
million Americans have their identities stolen each
year. In fact, you or someone you know may have
experienced some form of identity theft. The crime
takes many forms. Identity thieves may rent an
apartment, obtain a credit card, or establish a telephone
account in your name. You may not find out about the
theft until you review your credit report or a credit card
statement and notice charges you didnt makeor until
youre contacted by a debt collector. Identity theft is
serious. While some identity theft victims can resolve
their problems quickly, others spend hundreds of dollars
and many days repairing damage to their good name
and credit record. Some consumers victimized by
identity theft may lose out on job opportunities, or be
denied loans for education, housing or cars because
But he that filches from me my good name, robs me of that which
not enriches him and makes me poor indeed. Shakespeare,
Othello, act iii. Sc. 3.
What you will learn
How Identity Theft Works
Where It Happens
How to Protect Yourself
What you should know
Social Engineering Basics
Encryption Basics
Multilayered Security Basics
Proactively
Defending Against Identity Theft
www.hakin9.org/en 22
ID THEFTS
www.hakin9.org/en 23
Identity Proof Your Personal Data UK
W
orth remembering, your data held in the UK
is also shared with other countries, mainly
the English speaking world i.e. Canada, New
Zealand, USA, South Africa and Australia to name a
few. The credit reporting agencies share this data with
these countries and in particular when people migrate
to these countries. Every country has its own data
protection laws but for the benefit of this article we will
concentrate on the UK.
UK data regulation
Regulating our personal data is more important than ever
these days, especially given the sensitive nature of the
data that is collected. The first attempt at a data protection
law was with the Data Protection Act (DPA) 1984 which
started by authorising organisations to take accountability
for your personal data privacy. Check any UK registered
website and they should highlight the DPA 1984 and 1998
(amendment). The 1998 amendment tightened the DPA
which now allows everyone to see the data that is stored
about them on either hardcopy (paper) or a computer.
The personal data held by third parties is used in many
instances to make key life changing decisions without you
ever realizing it i.e. credit referencing agencies, people
tracking websites, banks, mortgage lenders, employers
etc. I will discuss this in more detail later. The DPA
provides a safeguard for people so people can ask for the
data held about them and dispute any inaccuracies. The
way the data is collected and used is also covered under
the DPA 1984/1998 Acts. As is the case with most laws, its
there as a protection but that doesnt stop data breaches
or inaccurate data being held about people.
Keep in mind
You can use the DPA to request information from a
financial provider if you suspect for example that the
data about you is inaccurate. It doesnt have to be your
data that stops you from being accepted for a new loan
or credit card. It can also be where you live and who you
live with. More often than not people fail to tick or un-tick
the do not receive any marketing communication from
a company or its third parties box.You should always
remember to opt-out if you value your privacy.
The Electoral Register
There are many instances of people applying for credit
cards and loans being refused simply because they are
not recorded on the electoral roll. The electoral register
should highlight your current address, so its important
you make sure its up to date if you have recently moved.
The names and addresses of all UK citizens over the age
of 18 registered to vote are kept on the electoral register
http://bit.ly/qcw51. For the past few years organisations
and individuals could obtain this information and use it for
any legal purpose, but privacy concerns have meant that
regulation was introduced in 2002.
The regulation introduced two electoral registers. The
full register lists everyone who is entitled to vote. Only
Information is being collected about us every second of every day
without us ever realizing what happens to it. Most of us dont really
care what happens to our personal data as long as it isnt misused.
So lets go up close and personal by taking a brief glance at how you
can protect your personal data if you are a UK citizen.
What you will learn
How easy and cost efective it can be to protect your online
and ofine identity in the United Kingdom.
What you should know
Identity protection services are country specic.You dont ac-
tually need identity theft insurance - you are protected by the
Credit Consumer Act
Identity Proof Your
Personal Data UK
www.hakin9.org/en 26
ID THEFTS
www.hakin9.org/en 27
Ask the Social Engineer
How do Identity Thieves Use Social Engineering Skills?
Tom
Tom,
This is a good question. There are quite a few ways that
social engineering is used by malicious identity thieves,
let me name just a few methods that are used and then
you will see how they do their deeds.
Local Support Scam
The Premise
Here in the States we get calls from our local fireman
and police outfits asking us to help support their work
with voluntary donations. If you donate to one you
get put on a list of willing participants and then every
fireman, police, retired police and more will call you to
ask for a mere $10, $20, $50 donation to support their
cause. For your donation you get a letter of thanks and
a sticker that you can proudly display as a support of
your local law enforcement.
The Problem
Although many of these phone calls are legitimate, this
is an avenue that social engineers use. Calling people
and simply saying something like, Hi this is Joe from the
retired Firemans fund. We truly appreciate your support
last year and we are calling again to see if you are able
to help us out again this year.
A statement like this will tell the social engineer if the
person did donate, dependent on their reaction, as well
as open them up for a potential attack. They can ask
for full name details, check or credit card information
and other details that can lead to a serious breach of
identity.
Mitigation
Dont ever give out those details to someone who calls
you. If you really want to donate my suggestion is to first
get their call back number, but then go online or to your
phone book and compare the number in the book to
the number they gave you. Call the phone book number
and ask if they have been calling your area for donations
and ask them where you can mail your donation.
Yes, it is more work but it can save you from a serious
breach of your personal and financial life.
Help Me, Grandma
The Premise
This particular attack assumes that a family member
has traveled overseas to a foreign country and got into
a little trouble. The trouble cant be too bad but enough
to land them a night in jail and a hefty fine of $2000-
$5000. The person traveling is young enough to still live
at home but old enough to be considered an adult.
The Problem
This particular scam preys on the kindness of the older
generation. The scam artist finds out the name of their
grandchildren and then calls and uses a story line that
Last month we announced a new column in the Hakin9 Magazine
entitled Ask the Social Engineer. After last months article on The
Human Buffer Overflow, we received a lot of positive feedback
on the column as well as quite a few questions. Sticking with this
months theme we decided to chose this question..
What you will learn
How to identify identity theft scams
How to protect against identity theft
Identity Thieves prey on the weakness of others
What you should know
Identity theft is a crime against old and young
There are clear ways to stay protected
Education is the key to success
Ask The Social-
Engineer
www.hakin9.org/en 28
ID THEFTS
www.hakin9.org/en 29
Phishing
T
he reach of internet in banking and shopping
domain has increased exponentially in the past
decade and so has the innocuous attempts at
gaining perfidious and pervert secret access to the
various interacting channels of information and data.
Of all the internet based attacks targeted at networks,
phising has evolved at a major threat to clients and
companies alike. The biggest victims have been the
banking sector, the online shopping and auction sites
coming a close second.
Though phising is the most basic of hacking attacks
prevailing in the cyber space that relies heavily on
the ignorance of the user, it has gained enough
currency to be a major consideration while companies
formulate their online security paradigms. The
targets of such attacks can be as frivolous as social
networking accounts to the serious natured bank
account details and other online database. A lot of
electronic communications has been affected; some
examples include bog players like Microsoft, Gmail
and Twitter! -
In late May, Trend Micro discovered vulnerability in
Hotmail that could compromise a users account
just by previewing an e-mail. The malicious
messages, specially crafted for individual targets,
triggered a script that could steal e-mail messages
and contact information and forward new messages
to another account. Microsoft has already patched
this vulnerability, but only after real-world attacks
were discovered.
In the Gmail attacks, phishers used vulnerability in
a Microsoft protocol to analyze the users antivirus
software. That way, the attackers could tailor their
code to avoid detection and take over the victims
computer.
Concepts of Phising
Phishing is a way of attempting to acquire sensitive
information such as usernames, passwords and
credit card details by masquerading as a trustworthy
entity in an electronic communication the term
Phishing is sometimes said to stand for password
harvesting fishing, though this is likely a backronym, a
retroactively-coined acronym. The cracker community
tends to use creative spellings as a sort of jargon.
The term Phreaking, which refers to gaining access
to telephone networks, most likely influenced the
spelling of the term. Still other theories accredit the
term phishing to originate from the name Brian Phish
who was the first to allegedly use psychological
techniques to steal credit card numbers in the 1980s.
Others believe that Brian Phish was not a real person
but a fictional character used by scammers to identify
each other.
Today, online criminals put phishing to more
directly profitable uses; mind you these are the most
treacherous uses as well! Phishers usually work by
As the world of cyber space evolved, so did the various beleaguered
complications. Nothing it seems comes without a loophole.
What you will learn
Various email attack vectors and security measures for Email
ID.
Kindly let us know when you are planning to publish.
What you should know
How to use Email ID (Mail sending & checking)?
Phishing
www.hakin9.org/en 36
ID THEFTS
www.hakin9.org/en 37
Design Flaws in IP Surveillance Cameras Exploiting Web Interfaces
I
P surveillance cameras are used extensively for
monitoring of live targets. However, the inherent
design of web interface of the IP surveillance
cameras is not robust and is prone to security flaws.
This paper sheds light on the vulnerabilities that
exist in the design and deployment of web
application interface of IP surveillance
cameras. This paper is an outcome of
the extensive testing of the deployed IP
surveillance cameras in the live environment
as a part of the open research.
Overview
IP surveillance cameras are used typically
for surveillance purposes in organizations and public
places. IP surveillance cameras play a critical role
in providing evidence against crimes and unlawful
activities. The surveillance technologies have become
mature and sophisticated with the passage of time. The
IP surveillance cameras are serving as an important
defensive tool in todays environment as they help in:
Enhancing public and employee safety thereby
reducing the fear of crime
Aiding the detection of crime
Preventing crime by identifying potential criminal
activity and anti-social behavior
Helping police to respond more quickly to
incidents
There is no doubt, IP surveillance cameras can
serve as one of the best defense against crime. But,
IP surveillance cameras are also prone to security
vulnerabilities. In the last couple of years, we have
noticed an explicit set of network attacks [1] on CCTV
cameras such as injecting video streams [2]
through ARP spoofing. In this paper, we will
discuss the security vulnerabilities which
are an outcome of the insecure design of
IP surveillance cameras web interface. The
insecure design makes them susceptible
and hampers the desired functioning of IP
surveillance cameras.
We will discuss the top design fallacies in
the IP surveillance cameras web interface. We are not
going to disclose information about any specific vendor
in this paper but our aim is to provide security testing
guidelines when a penetration tester is dealing with IP
surveillance camera testing.
Cross Domain Image Streaming
Cross Domain Image Streaming (CDIS) is an attack
in which an attacker exploits the web interface of IP
surveillance camera to render another fake or non
legitimate image stream from third party domain in the
context of legitimate domain where the IP surveillance
camera is hosted. This is based on the concept of
Remote File Inclusion (RFI). However, as a matter of
fact, in this attack a similar motion file is included from
IP surveillance cameras are used extensively for monitoring of live
targets. However, the inherent design of web interface of the IP
surveillance cameras is not robust and is prone to security flaws.
What you will learn
Art of testing IP surveillance cameras
Understanding the design aws and attacks
Will prove benecial in application testing.
What you should know
Basic understanding of secure design practices
Basic understanding of web attacks
Design Flaws in IP
Surveillance Cameras
Exploiting Web Interfaces
www.hakin9.org/en 42
ID THEFTS
www.hakin9.org/en 43
Nessus Basics
O
rganizations could now pay for reliable
assistance or a fully supported appliance to
operate their Nessus scanner. Nessus is a
robust vulnerability scanner that is well suited for large
enterprise networks. Starting with version 3 of scanning
engine, Nessus was no longer offered under the
General Public License (GPL). The Nessus 3 engine
is still free and allows for the community to release
plugin updates, but needs charges for support and the
latest vulnerability audits, including PCI, SCADA, and
OS specific configurations. In July, 2008, Tenable sent
out a revision of the feed license which will allow home
users full access to plugin feeds. The professional
license is available for commercial use.The ability to
create plugins remains under the new scanning engine.
Nessus is available for Linux, FreeBSD, Solaris, MAX
OS X, and Windows. The knowledge base built into
each plugin continues to make Nessus one of the most
valued tools to secure networks. The Nessus 2 engine
and a minority of the plugins are still GPL. Tenable
Network Security has still maintained the Nessus 2
engine and has updated it several times since the
release of Nessus 3. Nessus 3 is 2-5 times faster than
Nessus 2. On April 9, 2009, Tenable released Nessus
4.0.0.
Nessus is free but source code isnt available.
Its designed to check for and optionally verify the
existence of known security vulnerabilities. Nessus
used to earn various pieces of information about a host
on the network, such as detailed version information
about the operating system and any software providing
services on the network. This information is compared
to a database that lists vulnerabilities known to exist in
certain software configurations. In many cases, Nessus
can be confirming a match in the vulnerability database
by attempting an exploit.
Nessus Components
Nessus architecture, includes:
The Nessus Client and Server
The Nessus Plugins
The Nessus Knowledge Base
Client and Server
The Nessus system comprises two components: a
server and a client.The server process does the actual
scanning, while the client is used to configure and run
scans and to view the results of a scan.
Nessus can perform more than 10,000 different types
of checks via downloadable plug-ins.
Originally, vulnerability scanners were all client
based. Client/server model allows the security analyst
to detach from the vulnerability scan and use his
resources for other items while Nessus continues to
do what it does best. Another more obvious benefit
of this architecture is scalability. A machine with more
memory and processing power can run more tests at
The Nessus Project was started by Renaud Deraison in 1998 ,
Nessus was not the first free open-source vulnerability scanner but
it is the most ubiquitous open source scanner. On October 5, 2005,
Tenable Network Security changed Nessus 3 to a proprietary license.
What you will learn
how install nessus.
How use it.
Nessus components.
What you should know
You must be familiar with network+
Nessus Basics
In the next issue of
magazine:
If you would like to contact Hakin9 team, just send an email to
en@hakin9.org. We will reply a.s.a.p.
Next extra issue of
Hakin9 magazine
All you need to know
about
FORENSICS